feat(repo): add Sponsor button + GH Packages mirror for sidebar surface

[rohitg00]

Summary

Three additions that make the repo's right-sidebar surface non-empty + give users a one-click fund path.

1. .github/FUNDING.yml

github: [rohitg00]

Renders the Sponsor button at the top of the repo + the Sponsor widget in the right sidebar.

Manual step before merging: the rohitg00 profile needs GitHub Sponsors enabled at https://github.com/sponsors/accounts. Until then the FUNDING.yml link 404s. Once enabled the button + sidebar widget go live instantly.

2. publish-github-packages job in .github/workflows/publish.yml

The repo's right-sidebar Packages widget only surfaces packages published to GitHub Packages, not packages on the public npm registry. New job runs after the existing canonical npm publish completes:

• Rewrites package.json.name from @agentmemory/agentmemory → @rohitg00/agentmemory in-runner
• Pins publishConfig.registry: https://npm.pkg.github.com
• Publishes to GH Packages
• Restores package.json so main isn't permanently scope-changed
• Marked non-fatal (|| echo "non-fatal") so a GH Packages hiccup never blocks the canonical npm release

Auth uses the built-in GITHUB_TOKEN, no new secrets needed. Workflow-level permissions: packages: write added.

Same pattern SkillKit ships today (@rohitg00/skillkit on GH Packages mirroring skillkit on npm).

3. README badge row

Added three badges alongside the existing npm/CI/License/Stars row:

• npm downloads (live monthly count)
• GitHub Packages mirror (links to the new GH Packages page)
• Sponsor rohitg00 (links to https://github.com/sponsors/rohitg00, same as the sidebar widget)

Verification

• YAML structure validates (node -e "...split('\n').length" clean; job names present).
• .github/FUNDING.yml is single-key valid YAML.
• README diff renders the badges in the existing center-aligned <p> block — no layout shift.
• No source code touched; no tests need to run.

Manual follow-up (post-merge)

1. Enable GitHub Sponsors on https://github.com/sponsors/accounts for rohitg00 so the FUNDING.yml link resolves.
2. First release after merge will populate the Packages sidebar widget via the new job. Verify with gh release list → newest release → check the repo right-sidebar after ~2 minutes.

Summary by CodeRabbit

• Chores

  • Enabled GitHub Sponsors to support the project.
  • Added GitHub Packages publishing so releases can be mirrored there; CI workflow updated to scope publishing permissions and include a non-fatal fallback on publish failure.

• Documentation

  • Updated README badges to show sponsorship and GitHub Packages distribution.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agentmemory	Ready	Preview, Comment	May 19, 2026 5:14pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds GitHub Sponsors configuration, updates README badges, and extends the publish workflow to mirror releases to GitHub Packages (with scoped permissions and conditional publish logic).

Changes

GitHub distribution channels

Layer / File(s)	Summary
GitHub Sponsors configuration .github/FUNDING.yml, README.md	Adds github: [rohitg00] in .github/FUNDING.yml and updates the README badge row to show npm downloads, a GitHub Packages mirror badge, and adjusted sponsors badge layout.
GitHub Packages publishing job .github/workflows/publish.yml	Top-level workflow permissions narrowed to contents: read; id-token: write moved to the publish job. Adds publish-github-packages job with permissions.packages: write, conditional logic to rewrite package.json to @rohitg00/agentmemory, check existing versions, publish to npm.pkg.github.com with GITHUB_TOKEN, and restore package.json.

Sequence Diagram

sequenceDiagram
  participant CI as GitHub Actions
  participant npm as npm Registry
  participant gh as GitHub Packages

  CI->>npm: Publish agentmemory to npm
  CI->>gh: Check if `@rohitg00/agentmemory` version exists
  alt Version not found
    CI->>CI: Backup & rewrite package.json to `@rohitg00` scope + registry
    CI->>gh: Publish package to npm.pkg.github.com using GITHUB_TOKEN
    CI->>CI: Restore original package.json
  else Version exists
    CI->>CI: Skip GitHub Packages publish
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• rohitg00/agentmemory#166: Overlaps on publish.yml workflow-level publish logic and GitHub Packages publish steps.
• rohitg00/agentmemory#106: Overlaps README header badge modifications.

Poem

🐰 I hopped to add a sponsor sign,
Badges gleam and mirrors shine,
CI hums, packages take flight,
Restored files sleep through the night,
Agentmemory leaps — publish alright!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding GitHub Sponsors funding configuration and a GitHub Packages publishing workflow with sidebar widget support.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/funding-and-gh-packages

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 17-20: The workflow currently grants elevated permissions
(packages: write and id-token: write) at the top-level permissions block; remove
or reduce those workflow-wide entries and instead add scoped permissions on the
specific jobs that require them (e.g., in the job definitions that perform
publishing or need OIDC tokens), granting only packages: write and id-token:
write on those job-level permissions blocks; also apply the same change for the
other top-level permissions occurrences referenced (the second block around the
127-129 region) so no job inherits unnecessary write scopes.
- Around line 130-136: Pin the workflow actions to fixed commit SHAs and harden
credentials/caching: replace the floating tags actions/checkout@v6 and
actions/setup-node@v6 with the corresponding pinned commit SHAs, add
persist-credentials: false to the actions/checkout step, and explicitly disable
package-manager caching in the actions/setup-node step (e.g., set cache: 'none'
or the setup-node option that turns off caching) so the publish job does not
persist credentials or enable package manager caches.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f9c05779-6790-483d-b769-e9870ca1134e

📥 Commits

Reviewing files that changed from the base of the PR and between c2f231f and dd4f60f.

📒 Files selected for processing (3)

• .github/FUNDING.yml
• .github/workflows/publish.yml
• README.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify this workflow still has floating action tags and missing hardening flags.
rg -n '^\s*-\s*uses:\s*[^@]+@v[0-9]+' .github/workflows/publish.yml
rg -n 'persist-credentials:\s*false|package-manager-cache:\s*false' .github/workflows/publish.yml

Repository: rohitg00/agentmemory

Length of output: 218

---

Pin action SHAs and disable credential persistence in publish workflow.

The publish workflow uses floating action tags (actions/checkout@v6 and actions/setup-node@v6 at lines 130-132) instead of pinned commit SHAs, increasing supply-chain risk. Additionally, the checkout action does not disable credential persistence, and the setup-node action does not explicitly disable package-manager cache—both critical hardening measures for privileged jobs.

Suggested hardening diff

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@<pinned-commit-sha>
+        with:
+          persist-credentials: false

-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@<pinned-commit-sha>
         with:
           node-version: 22
           registry-url: https://npm.pkg.github.com
           scope: "`@rohitg00`"
+          package-manager-cache: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 130-130: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 130-130: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 132-132: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 132-132: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 130 - 136, Pin the workflow
actions to fixed commit SHAs and harden credentials/caching: replace the
floating tags actions/checkout@v6 and actions/setup-node@v6 with the
corresponding pinned commit SHAs, add persist-credentials: false to the
actions/checkout step, and explicitly disable package-manager caching in the
actions/setup-node step (e.g., set cache: 'none' or the setup-node option that
turns off caching) so the publish job does not persist credentials or enable
package manager caches.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 157-173: The workflow currently rebuilds the package (npm install
/ npm ci / npm run build) then repackages for GitHub Packages in the "Publish
`@rohitg00/agentmemory` to GitHub Packages" step, which can produce a different
tarball than the original npm pack artifact; instead, download the packed
artifact produced by the first job (the uploaded npm pack tarball),
verify/extract or use that exact tarball for publishing (npm publish <tarball>
--registry=https://npm.pkg.github.com) rather than rebuilding, and keep the
existing logic around VERSION and the package.json scope rewrite/check (or adapt
it to operate on the unpacked/packed artifact) so the exact same artifact from
the earlier job is mirrored to GitHub Packages.
- Around line 137-173: The mirror job should be genuinely best-effort: mark the
whole job as non-fatal by adding continue-on-error: true to the job definition
(so failures in the npm install, npm ci, npm run build or the package.json
rewrite won't fail the release), or alternatively set continue-on-error: true on
the individual setup/install/build steps (npm install, npm ci, npm run build)
before the "Publish `@rohitg00/agentmemory` to GitHub Packages" step; ensure the
canonical publish job remains authoritative by leaving its behavior unchanged
and only making this mirror job tolerant of failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: acacfdc8-ba40-4452-a2cf-c1e6ff386d37

📥 Commits

Reviewing files that changed from the base of the PR and between dd4f60f and a29a696.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make the mirror job genuinely best-effort.

Only Line 171 is treated as non-fatal. Checkout/install/build/rewrite failures in this job still fail the release workflow even after the canonical npm publish has succeeded.

Suggested hardening diff

   publish-github-packages:
     needs: publish
     runs-on: ubuntu-latest
+    continue-on-error: true
     # `packages: write` only here — the public-npm publish job
     # doesn't need it. `contents: read` for the checkout.
     permissions:

🧰 Tools

🪛 zizmor (1.25.2)

[info] 171-171: prefer trusted publishing for authentication (use-trusted-publishing): this command

(use-trusted-publishing)

---

[error] 145-145: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 151-151: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 151-151: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 137 - 173, The mirror job should
be genuinely best-effort: mark the whole job as non-fatal by adding
continue-on-error: true to the job definition (so failures in the npm install,
npm ci, npm run build or the package.json rewrite won't fail the release), or
alternatively set continue-on-error: true on the individual setup/install/build
steps (npm install, npm ci, npm run build) before the "Publish
`@rohitg00/agentmemory` to GitHub Packages" step; ensure the canonical publish job
remains authoritative by leaving its behavior unchanged and only making this
mirror job tolerant of failures.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Publish the same tarball that npm got.

Lines 157-160 rebuild from a fresh dependency resolution instead of reusing the artifact produced by publish. Because this repo generates its lockfile in-runner, the GitHub Packages copy can diverge from the npm package for the same version.

Mirror the packed artifact from the first job (npm pack + upload/download artifact) rather than rebuilding here.

🧰 Tools

🪛 zizmor (1.25.2)

[info] 171-171: prefer trusted publishing for authentication (use-trusted-publishing): this command

(use-trusted-publishing)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 157 - 173, The workflow currently
rebuilds the package (npm install / npm ci / npm run build) then repackages for
GitHub Packages in the "Publish `@rohitg00/agentmemory` to GitHub Packages" step,
which can produce a different tarball than the original npm pack artifact;
instead, download the packed artifact produced by the first job (the uploaded
npm pack tarball), verify/extract or use that exact tarball for publishing (npm
publish <tarball> --registry=https://npm.pkg.github.com) rather than rebuilding,
and keep the existing logic around VERSION and the package.json scope
rewrite/check (or adapt it to operate on the unpacked/packed artifact) so the
exact same artifact from the earlier job is mirrored to GitHub Packages.

[rohitg00]

Already addressed in a29a696 (pushed earlier this session, may have been against the previous round of inline review against dd4f60f).

Finding 1 (workflow-wide write perms): FIXED.

Workflow-level permissions: is now contents: read only. Write scopes are job-scoped:

• publish job: contents: read + id-token: write (required for npm provenance OIDC).
• publish-github-packages job: contents: read + packages: write (required for npm.pkg.github.com push).

Neither job inherits a scope it doesn't need.

Finding 2a (persist-credentials: false): FIXED.

Both actions/checkout@v6 steps now pass persist-credentials: false. The publish steps never push back to the repo, so the GITHUB_TOKEN doesn't need to land in .git/config.

Finding 2b (pin actions to commit SHAs): SKIPPED.

Rationale: pinning to SHAs adds real maintenance cost — Renovate/Dependabot don't auto-bump SHA-pinned actions to new minors, so SHA pinning trades easy semver tracking for stale-action drift. agentmemory pins to verified major-version moving refs (@v6), which GitHub publishes via signed verified tags. The OpenSSF Scorecard rule that motivates SHA-pinning is opinionated; at this repo's scale the maintenance churn outweighs the marginal supply-chain win. Open to revisiting if you'd like — happy to ship a follow-up PR with the SHAs + a Dependabot config that bumps them, but that's a separate scope.

Finding 2c (disable setup-node cache): SKIPPED — no-op.

Verified actions/setup-node@v6 action.yml: cache: input is opt-in (off by default unless explicitly set to npm/yarn/pnpm). The package-manager-cache auto-enable only triggers when package.json declares a top-level packageManager field — agentmemory's doesn't (verified grep -n packageManager package.json is empty). The fix is a no-op on this workflow today.

All findings either shipped or skipped with explicit rationale. Latest commit on the branch is a29a696 if you want to re-review against that SHA.